New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

H12-721 Questions and Answers

Question # 6

In IPSec VPN, which one is incorrect about the difference between the barbaric mode and the main mode?

A.

main mode does not support NAT traversal in pre-shared key mode, but aggressive mode support

B.

main mode negotiation message is 6, and barb mode is 3

C.

In the NAT traversal scenario, the peer ID cannot use the IP address.

D.

main mode encrypts the exchange of identity information, while barbaric mode does not encrypt identity information

Full Access
Question # 7

In the IDC room, a USG firewall can be used to divide into several virtual firewalls, and then the root firewall administrator generates a virtual firewall administrator to manage each virtual firewall.

A.

TRUE

B.

FALSE

Full Access
Question # 8

When the user logs in to the virtual gateway web page and prompts “Cannot display web page”, what is the possible cause of the failure?

A.

user PC and virtual gateway are unreachable

B.

The IP address of the virtual gateway has been changed.

C.

uses a shared virtual gateway

D.

client browser set proxy server

Full Access
Question # 9

The branch firewall of an enterprise is configured with NAT. As shown in the figure, USG_B is the NAT gateway. The USG_B is used to establish an IPSec VPN with the headquarters. Which parts of the USG_B need to be configured?

A.

Configure the nat policy. The reference rule is to allow the source and destination of the intranet to be all ACLs.

B.

Configure the IKE peer, use the name authentication, and remote-address is the outbound interface address of the headquarters.

C.

Configure the nat policy. The reference rule is to protect the data flow from the enterprise intranet to the headquarters intranet in the first deny ipsec, and then permit the data flow from the intranet to the internet.

D.

Configure an ipsec policy template and reference ike peer

Full Access
Question # 10

87. The SSL VPN scenario under dual-system hot standby is shown in the following figure. The administrator has enabled the SSL network extension function. The following is about the configuration of the SSL VPN function.

A.

virtual gateway created on the master side will not be synchronized to the slave side.

B.

Bind the address pool to VRRP backup group 2 when configuring network extensions.

C.

The virtual gateway IP address of the SSL VPN in C USG_A must use 202.38.10.2

D.

The virtual gateway IP address of the SSL VPN in D USG_B must use 10.100.10.2.

Full Access
Question # 11

Both AH and ESP protocols of IPSec support NAT traversal

A.

TRUE

B.

FALSE

Full Access
Question # 12

The ACK flood attack is defended by the load check. The principle is that the cleaning device checks the payload of the ACK packet. If the payloads are all consistent (if the payload content is all 1), the packet is discarded.

A.

TRUE

B.

FALSE

Full Access
Question # 13

The malformed packet attack technology uses some legitimate packets to perform reconnaissance or data detection on the network. These packets are legal application types, but only normal network packets are rarely used.

A.

TRUE

B.

FALSE

Full Access
Question # 14

Which of the following encryption methods does IPSec VPN use to encrypt communication traffic?

A.

public key encryption

B.

private key encryption

C.

symmetric key encryption

D.

pre-shared key encryption

Full Access
Question # 15

USG dual-machine hot standby must meet certain conditions and can be used below. What are the following statements correct?

A.

major and backup equipment must have the same product model

B.

The software version of the active and standby devices must be the same.

C.

The interface IP of the active and standby devices must be the same.

D.

The primary device must be configured, and the standby device does not require any configuration.

Full Access
Question # 16

The principle of HTTPS Flood source authentication defense is that the Anti-DDoS device replaces the SSL server with the client to complete the TCP three-way handshake. If the TCP three-way handshake is complete, the HTTPS flood source authentication check is successful.

A.

TRUE

B.

FALSE

Full Access
Question # 17

An administrator can view the IPSec status information and debugging information as follows. What is the most likely fault?

A.

local ike policy does not match the peer ike policy.

B.

local ike remote namet and peer ikename do not match

C.

local ipsec proposal does not match the peer ipsec proposal.

D.

The local security acl or the peer security acl does not match.

Full Access
Question # 18

Which of the following configurations is mandatory when the IKE peer needs to be referenced to the IPSec policy template in the divquarters-branch-based IPSec VPN network (pre-shared key + traversal NAT)?

A.

ipsec proposal

B.

exchang-mode aggressive

C.

pre-shared-key

D.

remote-address

Full Access
Question # 19

In the USG firewall, which two commands can be used to view the running status and memory/CPU usage of the device components (main control board, board, fan, power supply, etc.)?

A.

display device

B.

display environment

C.

display version

D.

dir

Full Access
Question # 20

When the firewall works in the dual-system hot backup load balancing environment, if the upstream and downstream routers are working in the routing mode, you need to adjust the OSPF cost based on HRP.

A.

TRUE

B.

FALSE

Full Access
Question # 21

Avoid DHCP server spoofing attacks. DHCP snooping is usually enabled. What is the correct statement?

A.

connected user's firewall interface is configured in trusted mode

B.

The firewall interface connected to the DHCP server is configured as untrusted mode.

C.

DHCP relay packets received on the interface in the untrusted mode are discarded.

D.

The DHCP relay packet received in the D trusted mode and passed the DHCP snooping check.

Full Access
Question # 22

What is the correct statement about the ip-link feature?

A.

ip-link is a function to detect link connectivity

B.

ARP detection mode only supports detecting direct links (or forwarding through Layer 2 devices in the middle)

C.

The firewall sends ICMP or ARP packets to a probe destination address to determine whether the destination address is reachable.

D.

ip-link is associated with VGMP, the ip-link status is down, and the VGMP management group priority is lowered by default.

 

Full Access
Question # 23

What are the correct descriptions of IPSec and IKE below?

A.

IPSec has two negotiation modes to establish an SA. One is manual (manual) and the other is IKE (isakmp) auto-negotiation.

B.

IKE aggressive mode can choose to find the corresponding authentication key according to the negotiation initiator IP address or ID and finally complete the negotiation.

C.

NAT traversal function deletes the verification process of the UDP port number during the IKE negotiation process, and implements the discovery function of the NAT gateway device in the VPN tunnel. That is, if the NAT gateway device is found, it will be used in the subsequent IPSec data transmission. UDP encapsulation

D.

IKE security mechanisms include DH Diffie-Hellman exchange and key distribution, complete forward security and SHA1 encryption algorithms.

Full Access
Question # 24

In the abnormal traffic cleaning solution, to ensure that the attack traffic can be imported into the cleaning center for cleaning, the VRRP is implemented in Step 12 as shown in the figure. The management center adopts the following configuration: Select Configuration-->Anti-DDoS- -> "Drainage management", create a drainage task, configure the protected IP address to 10.1.3.10/32. What kind of route will the cleaning center generate after the above steps are configured?

A.

destination address is the 32-bit static host routed by the attacker.

B.

Destination address is routed by the attacker's 0-bit iEGP host

C.

destination address is routed by the attacker's 32-bit eBGP host.

D.

source address is the attacker's 32-bit static host route

Full Access
Question # 25

In the application scenario of the virtual firewall technology, the more common service is to provide rental services to the outside. If the virtual firewall VFW1 is leased to enterprise A and the virtual firewall VFW2 is leased to enterprise B, what is the following statement incorrect?

A.

The A system provides independent system resources for the virtual firewalls VFW1 and VFW2, and does not affect each other.

B.

is transparent to users, and the business between enterprise A and enterprise B is completely isolated, just like using firewalls separately.

C.

Enterprise A and Enterprise B can overlap addresses and use VLANs to separate different VLANs.

D.

Enterprise A and Enterprise B cannot manage their own virtual firewalls independently and must be managed by the administrator of the lessor.

Full Access
Question # 26

When using the Radius server to authenticate users, (the topology is as shown below), not only must the username and password be stored on the Radius server, but the username and password must also be configured on the firewall.

A.

TRUE

B.

FALSE

Full Access
Question # 27

The classification of cyber-attacks includes traffic-based attacks, scanning and snooping attacks, malformed packet attacks, and special packet attacks.

A.

TRUE

B.

FALSE

Full Access
Question # 28

In the abnormal traffic cleaning solution of Huawei, in the scenario of bypass deployment, dynamic routing and drainage does not require manual intervention. If an abnormality is detected, the management center generates an automatic drainage task. The traffic is sent to the cleaning device.

A.

TRUE

B.

FALSE

Full Access
Question # 29

What is the correct statement about the Eth-trunk function?

A.

Improve the communication bandwidth of the link

B.

Improve data security

C.

traffic load sharing

D.

Improve the reliability of the link

Full Access
Question # 30

When the ip-link link health check is performed, if it is unable to receive the message several times in the absence of the link, it will be considered as a link failure.

A.

1 time

B.

2 times

C.

3 times

D.

5 times

Full Access
Question # 31

71. Which option is incorrect about the HTTP Flood defense principle?

A.

HTTP Flood source authentication

B.

URI detection of destination IP

C.

fingerprint learning

D.

load check

Full Access
Question # 32

The SSL VPN authentication login is unsuccessful and the message "Bad username or password" is displayed. Which one is wrong?

A.

username and password are entered incorrectly

B.

user or group filter field configuration error

C.

certificate filter field configuration error

D.

administrator configured a policy to limit the source IP address of the terminal

Full Access